dkim, seal the email content

dkim explained

DKIM is the acronim of DomainKeys Identified Mail, an email authentication standard,
designed to guarantee that the email (including the attachments) has not been modified since the “signature” was affixed.

It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message.

Two keys are used: a “public” and a “private” key:

the “public” key, is published in the TXT record of the signing domain

the “private” key, is saved whithin the smtp server and used to “sign” the email messages

While sending a message, the smtp server generates an “encrypted hash signature”, based on the email message contents and the private key.

The recipient system can verify the signature in the email header, comparing it with the email content and the sender’s “public” key.

how to make dkim work

DKIM signatures are not immediately visible to end-users, they are added and verified by the email infrastructure.

how to configure dkim

All the configuration is generally made by technicians at server level.

No setup is needed on the user/administrator side, unless it is required to sign the message with the same domain of the sender.

In this case the smtp server provider will give you the instructions with the changes to be made on your domain’s dns.

dkim downsides

A dkim sealed message can’t be modified, but it still can be read by anyone.

A signed message that does not pass the verification, usually gets rejected.
If no changes have been made along the way from sender to recipient, this should not happen.

We’ve experienced rare cases, all related with lines lenght (it must be max 990 characters).
Some applications send the content all in one line or transmit a very long line within the html.
On these occasions the dkim signature gets corrupted, causing the “dkim=fail” check result.